Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Check for Missing Amazon Bedrock Agent Service Role

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (not acceptable risk)

Ensure that your Amazon Bedrock agents are associated with active service roles in order to have permissions to access other AWS cloud services and resources.

Security
Operational
excellence

Amazon Bedrock agents require access to base models, access to the Amazon S3 objects containing the OpenAPI schemas for the action groups within the agents, and permissions to query knowledge bases that you want to attach to your agents. Also, if you encrypt your agent with an Amazon KMS key, the agent needs permissions to decrypt the key. If your Amazon Bedrock agents are no longer associated with active service roles, they will lose the ability to perform these essential operations.

Audit

To determine if your Amazon Bedrock agents are referencing active service roles, perform the following operations:

Getting the IAM permissions configuration for Amazon Bedrock agents via AWS Command Line Interface (CLI) is not currently supported.

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon Bedrock console available at https://console.aws.amazon.com/bedrock/.

03 In the main navigation panel, under Builder tools, select Agents.

04 In the Agents section, click on the name (link) of the agent that you want to examine, available in the Name column.

05 In the Agent overview section, click on the ARN (link) of the service role associated with the agent, available under Permissions, to open the role page in Amazon IAM. If the role page is not available anymore, instead the following error message is displayed: The specified entity does not exist. The role with name \ cannot be found., the service role associated with the selected Amazon Bedrock agent is no longer available, therefore, the agent's capability to access other AWS cloud services and resources is disabled.

06 Repeat steps no. 4 and 5 for each Bedrock agent available within the current AWS region.

07 Change the AWS cloud region from the navigation bar to repeat the Audit process for other regions.

Remediation / Resolution

To reconfigure any Amazon Bedrock agents associated with missing IAM roles, perform the following operations:

Replacing the service role for your Amazon Bedrock agents via AWS Command Line Interface (CLI) is not currently supported.

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon Bedrock console available at https://console.aws.amazon.com/bedrock/.

03 In the main navigation panel, under Builder tools, select Agents.

04 In the Agents section, select the Amazon Bedrock agent that you want to configure, and choose Edit.

05 In the IAM Permissions section, choose Create and use a new service role under Agent resource role to create a new service role for the selected Amazon Bedrock agent. If your Bedrock agent was configured to use a custom service role, consult this page to add the necessary permissions to your new service role.

06 Choose Save and exit to apply the configuration changes and return to the Agents listing page.

07 Repeat steps no. 4 - 6 for each Amazon Bedrock agent that you want to configure, available within the current AWS region.

08 Change the AWS cloud region from the navigation bar and repeat the Remediation process for other regions.

References

Publication date Jun 13, 2024

Related Bedrock rules